commit 639d0ff3de76125cd55f04e2851a7e1e86d93de1
parent b7c30ba978454a5aca87b004acb764db8d0d5707
Author: Christian Grothoff <grothoff@gnunet.org>
Date: Mon, 13 Jul 2026 20:40:56 +0200
fix cross-client validation
Diffstat:
3 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/src/challenger/challenger-httpd_token.c b/src/challenger/challenger-httpd_token.c
@@ -414,9 +414,19 @@ CH_handler_token (struct CH_HandlerContext *hc,
enum GNUNET_DB_QueryStatus qs;
char *code;
enum CHALLENGER_CM code_challenge_method_enum;
-
+ unsigned long long code_client_id;
+ char code_dummy;
+
+ /* bc->client_id was already validated as a number in the client-auth
+ block above; re-parse it here (it is out of scope) so we can bind the
+ authorization code to the authenticated client. */
+ GNUNET_assert (1 == sscanf (bc->client_id,
+ "%llu%c",
+ &code_client_id,
+ &code_dummy));
qs = CHALLENGERDB_validation_get_pkce (CH_context,
&bc->nonce,
+ (uint64_t) code_client_id,
&client_secret,
&address,
&client_scope,
diff --git a/src/challengerdb/validation_get_pkce.c b/src/challengerdb/validation_get_pkce.c
@@ -30,6 +30,7 @@ enum GNUNET_DB_QueryStatus
CHALLENGERDB_validation_get_pkce (
struct CHALLENGERDB_PostgresContext *ctx,
const struct CHALLENGER_ValidationNonceP *nonce,
+ uint64_t client_id,
char **client_secret,
json_t **address,
char **client_scope,
@@ -43,6 +44,7 @@ CHALLENGERDB_validation_get_pkce (
struct GNUNET_PQ_QueryParam params[] = {
GNUNET_PQ_query_param_auto_from_type (nonce),
GNUNET_PQ_query_param_absolute_time (&now),
+ GNUNET_PQ_query_param_uint64 (&client_id),
GNUNET_PQ_query_param_end
};
struct GNUNET_PQ_ResultSpec rs[] = {
@@ -88,7 +90,8 @@ CHALLENGERDB_validation_get_pkce (
" JOIN clients "
" USING (client_serial_id)"
" WHERE nonce=$1"
- " AND expiration_time > $2");
+ " AND expiration_time > $2"
+ " AND client_serial_id=$3");
return GNUNET_PQ_eval_prepared_singleton_select (ctx->conn,
"validation_get_pkce",
params,
diff --git a/src/include/challenger-database/validation_get_pkce.h b/src/include/challenger-database/validation_get_pkce.h
@@ -35,6 +35,7 @@
*
* @param cls
* @param nonce unique nonce to use to identify the validation
+ * @param client_id serial id of the authenticated client redeeming the code
* @param[out] client_secret set to secret of client (for client that setup the challenge)
* @param[out] address set to client-provided address
* @param[out] client_scope set to OAuth2 scope
@@ -51,6 +52,7 @@ enum GNUNET_DB_QueryStatus
CHALLENGERDB_validation_get_pkce (
struct CHALLENGERDB_PostgresContext *ctx,
const struct CHALLENGER_ValidationNonceP *nonce,
+ uint64_t client_id,
char **client_secret,
json_t **address,
char **client_scope,